"Breach" is defined in the Act as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information."

The regulations, developed by OCR, require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

The Act defines "unsecured protected health information" as PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance. HHS has updated its guidance, specifying encryption and destruction as technologies and methodologies that render protected health information "unusable, unreadable, or indecipherable to unauthorized individuals." In other words: secured.

In the event that a covered entity determines unsecured PHI has been significantly breached, it must notify affected individuals, HHS, and possibly the media within 60 days.